Profile: base/system-artifacts.toml

• Source
• Profile (TOML)

Source

• Original path: profiles/base/system-artifacts.toml

Profile (TOML)

# System Artifacts Profile
# Inspired by UAC - detects system configuration, logs, and administrative artifacts

decode = ["base64", "percent-encoding"]

# System Configuration Files (Windows)
[[patterns]]
  name = "Windows System File"
  pattern = "(?:system32|SysWOW64)\\\\[^\\\\]+\\.(?:exe|dll|sys)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Windows INI File"
  pattern = "\\.ini$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Windows Policy File"
  pattern = "(?:gpedit\\.msc|secpol\\.msc|group policy)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Scheduled Task XML"
  pattern = "Tasks\\\\[^\\\\]+\\.xml"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Service Configuration"
  pattern = "HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services"
  type = "regex"

# System Configuration Files (Unix/Linux)
[[patterns]]
  name = "Crontab"
  pattern = "(?:/etc/crontab|/var/spool/cron)"
  type = "regex"

[[patterns]]
  name = "Unix Config File"
  pattern = "/etc/[a-z0-9._-]+\\.conf"
  type = "regex"

[[patterns]]
  name = "Systemd Service"
  pattern = "\\.service$"
  type = "regex"

[[patterns]]
  name = "Init Script"
  pattern = "/etc/init\\.d/"
  type = "string"

[[patterns]]
  name = "RC Script"
  pattern = "/etc/rc[0-6]\\.d/"
  type = "regex"

[[patterns]]
  name = "Passwd File"
  pattern = "/etc/passwd"
  type = "string"

[[patterns]]
  name = "Shadow File"
  pattern = "/etc/shadow"
  type = "string"

[[patterns]]
  name = "Sudoers File"
  pattern = "/etc/sudoers"
  type = "string"

[[patterns]]
  name = "SSH Config"
  pattern = "/etc/ssh/sshd_config|~/.ssh/config"
  type = "regex"

# Log Files
[[patterns]]
  name = "Application Log"
  pattern = "\\.log$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Windows Event Reference"
  pattern = "Event(?:Log|Viewer)|Application\\.evtx"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "IIS Log"
  pattern = "u_ex\\d{6}\\.log"
  type = "regex"

[[patterns]]
  name = "Apache/Nginx Log"
  pattern = "(?:access|error)\\.log"
  type = "regex"

[[patterns]]
  name = "Audit Log"
  pattern = "/var/log/audit/audit\\.log"
  type = "string"

# User Activity
[[patterns]]
  name = "User Profile Path"
  pattern = "(?:C:\\\\Users\\\\|/home/|/Users/)[^/\\\\]+"
  type = "regex"

[[patterns]]
  name = "Desktop File"
  pattern = "(?:Desktop|Documents|Downloads)[\\\\/]"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "AppData Reference"
  pattern = "AppData\\\\(?:Local|Roaming|LocalLow)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Temp Directory"
  pattern = "(?:C:\\\\(?:Temp|Windows\\\\Temp)|/tmp/|/var/tmp/)"
  case-insensitive = true
  type = "regex"

# Network Configuration
[[patterns]]
  name = "Hosts File"
  pattern = "/etc/hosts|C:\\\\Windows\\\\System32\\\\drivers\\\\etc\\\\hosts"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Network Interface Config"
  pattern = "/etc/network/interfaces|/etc/sysconfig/network-scripts"
  type = "regex"

[[patterns]]
  name = "Resolv.conf"
  pattern = "/etc/resolv\\.conf"
  type = "string"

# Startup and Autorun
[[patterns]]
  name = "Autorun Registry Key"
  pattern = "SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\(?:Run|RunOnce)"
  type = "regex"

[[patterns]]
  name = "Startup Folder"
  pattern = "Start Menu\\\\Programs\\\\Startup"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Boot Configuration"
  pattern = "(?:boot\\.ini|BCD)"
  case-insensitive = true
  type = "regex"

[[signatures]]
  name = "System Configuration Changes"
  query = "SELECT DISTINCT sha256 FROM pattern_matches WHERE pattern_name LIKE '%Config%' OR pattern_name LIKE '%Service%'"

[[signatures]]
  name = "User Activity Artifacts"
  query = "SELECT sha256 FROM pattern_matches WHERE pattern_name IN ('User Profile Path', 'Desktop File', 'AppData Reference', 'Temp Directory')"